#incontrol-something you never had is here

mini story starts at ASK the EXPERT ( 3 minutes ) rest 10-15 minutes

Cyber protection

It’s a new year — and a great time to step away from this old-school, tone-deaf practice!.We have been indoctrinated that we need to attend to people, processes and technology. Yet this is where the pitfall steps in .
Due to the choice of technical components we are bound to make certain decisions that are imposed upon us due to their limited and outdated capabilities.
Unfortunately not all know that innovation is already available and its called Triple A from P@ssport. People, Processes , Organization , Similar Events and then ONLY then Technology

if all you have is a hammer, everything looks like a nail

We call these round towers as explained in post illusion of being in control part 3 castles from the cloud http://bit.ly/2eUlMlG

We have been brought up with the fact that we need all kind of reactive technologies to protect us. Yet the world has changed with Big Data, IOT and Mobility demanding a higher Technological Readiness.

Trip down memory lane

As I started out as sysadmin 1990 early on I was involved with developing, testing , accepting and bringing into production  new technologies.
Creating and implementing new environments since then that are non-obstructive and offered new capabilities were like a magnet to me .
And this lead to many big names introduced in the Netherlands that used monitoring and analyzing software with the vendors  used as show case to win further customers Microsoft Active Directory 2000 cross Atlantic  ,F5, Ironmail, System Center Operation Manager  , VEEAM, Enterprise Vault  and some specialized add ons  on SCOM that know have been readily adopted by many of you and for great reasons , but they do what they do good as component not as a system.

Any Triple A system will beat
any bad person-
Peter Rus

Seeing what was going on was my first step to get from the reactive firefighting we were forced to deal with. Yet the input all the devices gave were reactive and was sold as protection.( against intrustion, dataloss, spam )
But it is not…

Protection versus Analyses

Antivirus protection is not protection.It is antivirus analyses , it analyses the virus which is by then is already on your computer. Done through signatures that need to be there and updated yet always after the virus is already in the wild. Antivirus is dead says Symantec http://www.pcworld.com/article/2150743/antivirus-is-dead-says-maker-of-norton-antivirus.html

Lessons Learned

Yet we massively  still invest in this ancient reactive technology .
That it is doing the wrong analyses accounts for many breaches so we have and as security technology on its own becomes a vulnerability you are in the woods.
See my post another app in the wall –http://bit.ly/2eTCHIq.
So we need now anti-malware running on our computer which  now also becomes circumvented.
Fileless infections are difficult to detect and often elude intrusion prevention and antivirus programs,” says Brian Kenyon, chief strategy officer for Symantec. “This type of attack increased throughout 2016 and will continue to gain prominence in 2017, most likely through PowerShell attacks. http://www.darkreading.com/vulnerabilities—threats/fileless-malware-takes-2016-by-storm/d/d-id/1327796

New kid in town

New kid in town offering more services than reactive and proactive -namely preventive.

Meet P@ssport- with us you can choose all three GOOD-CHEAP AND FAST vs the others FAST & GOOD who wont be cheap and how good they are is depending on how good the equipment is installed , maintained and most specially updated see SIEM sucks-http://www.csoonline.com/article/3156588/network-security/siems-sometimes-suck.html
As many of these companies found out..

How to reach next Technology Readiness Level

GO and look at your threats, the chance that they can turn into something bad that will have impact on the organization like they did with Target :

  1. Cyber Security Legislation GDPR /NIS( more proof more auditing costs)
  2. Re-evaluation of SOC Processes ( more monitoring)
  3. More Attention from the C-suite ( more reports)
  4. Increased Security Spending ( on reactive technology )
  5. Concern for the Future ( trying to outrun risk by getting insured )

simular events-Long terms effects of Target breach https://swimlane.com/top-5-long-term-effects-of-the-target-breach/
Buying a chicken solution but it might not always be one..costly mistake

We addressing these challenges by profiling P@ssport which is a preventive cyber risk management company and we are more than welcome to elaborate on the Triple A strategy :Against Attacks on Assets.
Here we take away the issues on security controls mechanisms and compliancy through our Triple A framework that many companies now face:

  • Lack of trained staff
  • Lack of necessary tools to automate controls
  • Lack of budget
  • Lack of appropriate tools to audit continuous effectiveness of controls
  • Lack of integration among tools.

Leave the WHY go for the HOW

We all know that 100% security doesn’t exists, that there are bonusprogramms that will pay out money if you find vulnerabilities HackerOne, Bugcrowd, CrowdSecurity, and Synack are some others. These show that there is enough money to be made on vulnerabilities and exploits . bhttp://www.businessinsider.com/hacker-earns-80000-as-bug-bounty-hunter-2016-4 and than they “fix” it until the next vulnerability .
https://www.cvedetails.com/ any of the 12.000 vulnerabilities will pay out..

Difference between #incontrol and #notincontrol

Now HOW is P@ssport doing preventive risk management?
Consider the scenario that a user is tricked into giving out their ID and password to an unauthorized person over the phone. It does not sound like a huge security breach. It is just one tiny mistake, right? Unfortunately, that is not the case. This mistake creates vulnerability in the security architecture that could result in a substantial loss if exploited. It only takes one open door to create an opportunity for an attacker.

Different view risk vs consequences

What defense mechanisms and security mechanisms are failing here? In other words which threat is not countermeasured correctly.

From sams hacking guide 2001-16 years later and we package in the NEXT whatever .Freely translated we offer you guaranteed security …Security is a continue process not a thing, box or other blinking cube in the NEXT data center. What will a different view offer you then?

We at P@ssport deliver  strategic advisors helping you to get to the next Technical readiness level using the BowTieXP method of CGErisk to adres, collect and mitigate to get #incontrol with  Cyber Risks and why most of  these barriers are reactive and currently adding to exposure and hacks of many companies.

As we can see we have threats and preventive barriers left  and reactive barriers and consequences right  , we have escalation factors yellow  and we have the hazard and we have the top event.(middle )


The point when you loose control is our world when the adversary is getting into your network.

We have all the technology-

Password managers , Complexity Passwords ,changing them every 3 months ,Next Generation Firewalls but these all fail since the user is known and the password is known. So the top event occurs and that is the moment that you are not in control anymore . Clearly the user awareness failed .
The risk that this will happen is great , since people want to be helpful and for example 50% of the Dutch don’t even know what ransomware is http://nltimes.nl/2016/10/03/dutch-lack-knowledge-cybercrime-information-campaign-launched . And psychologically you don’t beat curiosity”killed the cat”
Security awareness training or no, users will keep clicking on dodgy links http://bit.ly/2i1cfd2.


The user is known so that barrier fails too, the intrusion protection system can’t see in the tunnel and no abnormal patterns, for the intrusion detection system the same for siem the same. Even if they did pick up on something it takes companies 199 days after a breach occurs on average and 3,5 million dollar to clean up the mess. Don’t look in the wrong direction or you might get an unpleasant surprise.
And eventually it will end up in a databreach which will become an endeavor even without the #fail for compliancy on the GDPR. For example your data in the cloud and the usage of apps setup by marketing and no involvement from the IT department called Shadow IT .Report reveals majority of cloud applications aren’t GDPR-ready .http://bit.ly/2fU61PD

The rights on the user data base is that he can access this database  user is known and confidential ip , personal data of customers etc will stream out of the company.

GDPR compliancy to the rescue?

We say its time for a change , cut the the snake by the head not by the tail.
As described in our article https://www.linkedin.com/pulse/article/enterprise-cyber-risk-management-strategy-according-pssport-rus-lion

Make use of preventive technologies and processes and make sure the technical readiness of your company improves by using innovation. Innovation without a strategy is impossible because any technology implemented without a strategy will fail as we see it happening  with many projects #fail.

So if we go back to the situation what is the root cause that the data is not safe and is stolen…

  • The awareness of the user failed?
    No, its part of the total picture but what if the user would have a token/smartcard that is integrated in the total access infrastructure?

The rootcause is that we enable access from the OUTSIDE with the use of passwords without 2 factor authentication, something you know and something you have . Adding this process would take away the possibility to breach with a username and password .We would go for a hardware token since any password and software authentication method is just that , software and any software is vulnerable. This will lead to an investment which will fall in any budget set in for reactive support and the fee you  normally pay for token based connectivity and much more secure..

This will lead to process optimization, lower the alerts that would have triggered the monitoring (if any) and by enabling operational excellence you also unlock governance and compliancy.

Automating these security controls will provide daily automated data on the readiness of computers to withstand preventively attacks as well as prioritized list for system administrators to maintain high levels of security. At the same time it eliminates the massive financial waste associated with thick audit reports that are long out of date long before they are presented.

By using our innovative Triple A cyber risk management strategy the company is #incontrol .The new way of securing the assets is that the security teams have more time to build out the environment instead of firefighting, the emphasis on complex specific certificates are not needed and overall are compliant so that opportunities as data-analyses and demands lie compliant data processing or access to assets can be easily facilitated.

We will reduce the chance that an topevent occurs by using our triple A strategy Agains Attacks on Assets and will solve many concerns:

  • Lack of trained staff
  • Lack of necessary tools to automate controls
  • Lack of budget
  • Lack of appropriate tools to audit continuous effectiveness of controls
  • Lack of integration among tools.

Checking viruses on a firewall is the same as asking for a waterproof electricity socket

P@ssport  solves 19 of 20 SANS controls and therefore comply on NIST, HIPPAA, ISO 27xxx, ISA/IEC 62443, GDPR  . Which control do we miss ?
No 9. Security Skills Assessment and appropriate training to fill the gaps . Now tell us are you spending that on reactive old technology or on preventive innovative but proven technology ?



Peter Rus

Chief Innovation Officer